<div dir="ltr">I'm seeing the same behavior in 2.1beta3.<div><br></div><div>Multiple eve-log outputs do not appear to work. Whichever eve-log type is processed second is the only active output.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 29, 2015 at 2:20 PM, Brandon Lattin <span dir="ltr"><<a href="mailto:latt0050@umn.edu" target="_blank">latt0050@umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have another box I can test test beta3 on.<div><br></div><div>Give me about 20 minutes and I'll get back to you.</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 29, 2015 at 1:42 PM, Jay M. <span dir="ltr"><<a href="mailto:jskier@gmail.com" target="_blank">jskier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Interesting, it may have to do with using the same types multiple<br>
times. Beta3 fixed a redundancy issue, which isn't exactly related to<br>
what you're seeing (almost the opposite problem).<br>
<br>
Are you able to test beta3 with this? When I have time I can give it a<br>
shot in my test environment. Looks like a bug report is probably in<br>
order.<br>
<br>
--<br>
Jay<br>
<a href="mailto:jskier@gmail.com" target="_blank">jskier@gmail.com</a><br>
<div><div><br>
<br>
On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin <<a href="mailto:latt0050@umn.edu" target="_blank">latt0050@umn.edu</a>> wrote:<br>
> Is anyone successfully using multiple eve json methods?<br>
><br>
> Note that I'm using Suricata 2.1beta2<br>
><br>
> For details see:<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput</a><br>
><br>
> I'm currently attempting to output to both a file and syslog. I'm<br>
> sidestepping the eve-logging syslog output problems by enabling "standard"<br>
> syslog alert output, which generates redundant alerts, but otherwise works<br>
> to set the facility and identity of eve-log. (See:<br>
> <a href="https://redmine.openinfosecfoundation.org/issues/1204" target="_blank">https://redmine.openinfosecfoundation.org/issues/1204</a>)<br>
><br>
> I'm having no luck. I either get either syslog output or file output,<br>
> depending on the order of the eve-log entries. Never both. The second<br>
> eve-log appears to override the first, which is not the behavior I'd expect<br>
> after reading:<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput</a><br>
><br>
> Below are the relevant snippets from the suricata.yaml:<br>
><br>
><br>
> outputs:<br>
> - syslog:<br>
> enabled: yes<br>
> # reported identity to syslog. If ommited the program name (usually<br>
> # suricata) will be used.<br>
> identity: "suricata"<br>
> facility: local5<br>
> level: Info ## possible levels: Emergency, Alert, Critical,<br>
> ## Error, Warning, Notice, Info, Debug<br>
><br>
> # Extensible Event Format (nicknamed EVE) event log in JSON format<br>
> - eve-log:<br>
> enabled: yes<br>
> type: syslog #file|syslog|unix_dgram|unix_stream<br>
> # the following are valid when type: syslog above<br>
> identity: "suricata"<br>
> facility: local5<br>
> level: Info ## possible levels: Emergency, Alert, Critical,<br>
> ## Error, Warning, Notice, Info, Debug<br>
> types:<br>
> - alert:<br>
> payload-printable: yes # enable dumping payload in printable<br>
> (lossy) format<br>
><br>
> - eve-log:<br>
> enabled: yes<br>
> type: file #file|syslog|unix_dgram|unix_stream<br>
> filename: eve-port1.json<br>
> # the following are valid when type: syslog above<br>
> #identity: "suricata"<br>
> #facility: local5<br>
> #level: Info ## possible levels: Emergency, Alert, Critical,<br>
> ## Error, Warning, Notice, Info, Debug<br>
> types:<br>
> - alert:<br>
> payload-printable: yes # enable dumping payload in printable<br>
> (lossy) format<br>
><br>
><br>
><br>
> Thanks!<br>
><br>
> --<br>
> Brandon Lattin<br>
> Security Analyst<br>
> University of Minnesota - University Information Security<br>
> Office: <a href="tel:612-626-6672" value="+16126266672" target="_blank">612-626-6672</a><br>
><br>
</div></div>> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: <a href="tel:612-626-6672" value="+16126266672" target="_blank">612-626-6672</a></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>